Decryption failed (no vault secrets would found that could decrypt)

4
votes

UPDATED:

I have organized my configs into a role based directory structure. Some of those roles have default variable files that have encrypted text. Here's a simplified and tested task list that fails:

---
- name: 'Include some additional variables'
  include_vars:
    dir: "{{playbook_dir}}/roles/foo/defaults/vars"
  tags: 'debug'

- name: 'Debug: display the variables'
  debug:
    msg: "{{item}}"
  with_items:
    - "{{encrypted_text_from_yml_file}}"
  tags: 'debug'

- name: 'Deploy Foo plugins'
  block:
    - name: 'Transfer the folder to the application directory'
      synchronize:
        src: 'some_src_folder'
        dest: "{{some_unencrypted_text_from_another_yml_file}}"
        archive: false
        recursive: true
  tags: 'debug'

I'm seeing the following error, however, when executing my playbook:

TASK [<some_app> : Transfer the <some_folder> folder to the application directory] **********************************************************************************
fatal: [<some_hostname>]: FAILED! => {"failed": true, "msg": "Decryption failed (no vault secrets would found t
hat could decrypt)"}

My credentials are being retrieved from a password file.

I tossed a debug task right after the variable include and all my variables that were encrypted displayed. The weird thing is the block of tasks where the exception is occurring is using a synchronize module. No variables from the vault are even being used...

Any idea how to troubleshoot this? I increased the verbosity up to -vvvv and didn't see anything obvious.

Using: ansible 2.4.0.0

3
ansible
Please post an MCVE - techraf
I updated my question to include some sample code that can reproduce the issue. - Paul Calabro
If you take only the code you posted up there and run it on a fresh machine - does the problem occur? - techraf
I just tried on a fresh VM. Wasn't able to reproduce. - Paul Calabro
Sri it's not an MCVE, just an E. - techraf

3 Answers

3
votes

I figured out the issue. I accidentally truncated an encrypted string in group_vars/all. Using -vvvvv (note the 5th v) actually helped reveal an HMAC issue.

1
votes

In my case the error was caused by special characters. The decryption worked on my dev machine (arch linux) but failed when running on my ci machine (Gitlab). I've injected the password as secret variable but as the password contained a $ apparently the decryption did not work.

After changing the password by removing all special characters, re-key the vault and encrypted strings with the new password, the problem was gone and the ci could successfully decrypt the vault.

0
votes

I had the same issue using molecule test command. I have tried to run the playbook with --ask-vault-pass and it worked so I was thinking that the problem come from the python version or molecule but for my case it was just the name of my vault-password-file .vault which is listed in .gitignore file. As soon I changed changed the name it worked fine.